This is a much delayed discussion on the complexity and nuance of the SolarWind hack. The simplistic and wrong messaging from some quarters of the infosec community has resulted in an atrocious misunderstanding of the hack in the public sphere. This has extended into the policy world as these bad takes are treated as cogent analysis.
I wrote this back in December, but months later this bad analysis is still brought up in the policy space.
Espionage is the second oldest profession
It is a truth universally acknowledged, that with spying, the ends justify the means. This is true for all espionage organisations, the opposition’s and your own. Why is that relevant? Because any standard which is used to hamper the opposition will also apply to, and hamper, yours.
Sometimes laying down blanket rules about acceptable espionage behaviour is not a problem. Almost always this is when a certain type of operation is out of character with the society that produces the espionage agency. China makes extensive use of their diaspora community for espionage. The US has thousands of trained professionals and doesn’t use their diaspora community for organic bottom up collection. The US sometimes coopts civilians (and China has professionals) but generally speaking the diaspora method is one that only China uses extensively.
Extending this a bit further: if an espionage rule was proposed that banned the use of professionals but allowed the use of amateur civilians, China would be able to easily adapt to the new espionage environment. The US would be severely constrained. For this reason, the US wouldn’t sign up to, or abide by, such a requirement. (This is complicated further by the nature of targets for espionage, and national policy, but we can explore that another day.)
This brings me to targeting civilian companies and supply chain attacks. The US uses these methods just as, if not more, frequently than the Russians. FLAME, a strain of malware that targeted entities in the Middle East, exploited a cryptologic bug in the way Microsoft signed their updates. The NSA was then able to inject malicious code into the updates of Microsoft software. And just like SolarWinds, it was specifically targeted to ensure only legitimate espionage targets were infected and collected.
There is no rule that would prohibit the SolarWinds espionage campaign which the US would be willing to abide by itself.
Russian Intelligence aren’t script kiddies
Here’s the thing: the attackers are Russian foreign intelligence, the cream of the old KGB, and they will find a way to gain access to their target. Do they need to recruit a developer at the company and trick them into installing malware? They will do that.
They do not need to access the target via a weak password on the build servers. If that is what they use, then that is what they use, but it is not the make or break factor for the operation.
Part of the problem here might be that a superficial understanding of the cyber kill chain gives the impression that if you just stop The One Critical TTP in the chain then you will defeat the opposition. This is only true for an opposition that is inflexible and using just one technique. That description does not apply to the Russian intelligence services.
Intelligence agencies have targets and they will find the techniques to access them. The don’t start with a technique and look for targets that they can access.
The SolarWind backdoor was deeply integrated into the code, it was injected during their build process, and there is no way that the server having a weak password was the pivotal factor. As if Russian Intelligence would just give up if there were a strong password instead!
There is practically no chance that the server’s password was in anyway relevant to the hack overall. I can forgive the ignorance from the news media, but some infosec people are repeating this garbage as if it is important part of the SolarWind compromise.
“The offense is routinely underestimated. When companies are hacked, they react as if they had only done this one thing or avoided this one mistake everything would have been okay. The adversary is treated as if they just got lucky.” — Network Attacks and Exploitation @networkattack
People suggesting that the weak password example is relevant because it illustrates the poor security practices overall. I would agree with you if that was the argument presented. It was not. You have to work with the words ppl said, not what you wish they’d said.
‘’Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
“This could have been done by any attacker, easily,” Kumar said.’’
I absolutely agree with the “it is illustrative of poor security practice” but… that isn’t what was said. They literally said that the weak password means that the attacker could be anyone. Anyone could do it. That is the dumbest take.
The KGB vs a software vendor? Bet KGB.
Here’s the thing.
I’m perfectly willing to believe that their build servers were using “admin:admin” and that’s how the Russians gained access to inject their code… but, this was a clandestine intelligence operation. They did not succeed merely because SolarWind had poor password hygiene.
The SVR was formed from the cream of the KGB — the first chief directorate (FCD). The most prestigious directorate in the KGB. As the SVR they are still formidable.
Was SolarWind picked due to its poor security?
I suspect the primary motivation was the access that would be enabled by the attack, not the vulnerable nature of the company. This is the SVR, the cream of the KGB (first chief directorate). They are not going to be bothered by password policy.
That’s what kinda annoys me… however easy SolarWind may have been to hack, they were hacked by the fucking First Chief Directorate of the KGB. Quite possibly the people that are frying diplomats brains with microwaves in Havana. They’re pretty fucking metal.
Could SolarWind have been too difficult for the KGB to use them in an enablement operation? Yes, it is possible to achieve that level of security. Creating a strong fast detection capability with rapid remediation and incident response will make it hard for attackers to dwell for any length of time, or persist on the system after they gain access. It requires vigilance and some effort, but it can be done. Of course, SolarWind wasn’t close to reaching that level.